November 20, 2023 at 09:33AM
Johnson Controls has released patches for a critical vulnerability found in some of its industrial refrigeration products. The flaw, known as CVE-2023-4804, could allow unauthorized access to debug features. Impacted products include control panels used in the food and beverage industry worldwide. The patches fix the vulnerability that could potentially lead to an attacker gaining full administrative control of a Quantum HD system. It took Johnson Controls six months to release the patches due to the wider impact and the need to fix all platforms simultaneously. The vulnerability may be attributed to a “software supply chain” issue resulting from mergers and acquisitions.
Key takeaways from the meeting notes are:
1. Johnson Controls has recently announced patches for a critical vulnerability in some of its industrial refrigeration products. The vulnerability, tracked as CVE-2023-4804, allows unauthorized users to access debug features accidentally exposed.
2. Impacted products include Frick Quantum HD Unity Compressor, AcuAir, Condenser/Vessel, Evaporator, Engine Room, and Interface control panels. These products are used worldwide, including in the critical manufacturing sector.
3. Johnson Controls has released updates for each of the impacted control panels to patch the vulnerability. The severity of the vulnerability is rated with a CVSS score of 10, indicating its critical nature.
4. The vulnerability discovered by an external researcher could potentially allow an attacker to gain full administrative control of a Quantum HD system.
5. While the specific impact of exploiting this vulnerability in a real-world scenario is unclear, cyberattacks targeting refrigeration systems could cause disruption and financial damage, such as altering temperature settings to affect the quality of stored goods.
6. There are potentially vulnerable systems exposed to the internet in North America, which may be at risk of attacks.
7. Johnson Controls took approximately six months to roll out the patches for the vulnerability due to the wider impact discovered during investigations, prompting the company to fix all affected platforms simultaneously.
8. The vulnerability’s origin may be traced back to the Frick vendor, which was acquired by York and subsequently became part of Johnson Controls. This highlights the importance of due diligence during mergers and acquisitions.
9. The researcher who reported the vulnerability commends Johnson Controls for having a responsible disclosure process and a product security team. However, they were surprised to be the first to report the issue, suggesting that the acquisition noise may have caused a lack of visibility into the vulnerability.
10. It is worth noting that Johnson Controls has previously been targeted by ransomware attacks.